2,686 69 27MB
English Pages 284 Year 2023
Zed Attack Proxy Cookbook
Hacking tactics, techniques, and procedures for testing web applications and APIs
Ryan Soper Nestor N Torres Ahmed Almoailu
BIRMINGHAM—MUMBAI
Zed Attack Proxy Cookbook Copyright © 2023 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Associate Group Product Manager: Mohd Riyan Khan Senior Editor: Divya Vijayan Technical Editor: Irfa Ansari Copy Editor: Safis Editing Project Coordinator: Ashwin Kharwa Proofreader: Safis Editing Indexer: Manju Arasan Production Designer: Prashant Ghare Marketing Coordinator: Ankita Bhonsle and Marylou De Mello First published: March 2023 Production reference: 1100223 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-80181-733-2 www.packtpub.com
A hacker is like a spider, weaving their way through the intricate webs of the internet, uncovering secrets and breaking down barriers. – Ryan Soper
Writing this book has been a journey akin to a trainer’s quest to conquer each gym in Pokemon. Each chapter was a new gym leader to defeat, each obstacle a new Pokemon to train and evolve, but in the end, it was all worth it for the ultimate victory. – Nestor N Torres
Writing this book was an experience. When we decided to write a book at a coffee shop on a normal Tuesday night, the idea seemed easy. A few months in and a lot of sleepless nights later, we were tired and almost gave up on finishing the book. That is when we started to motivate and push each other so we could make each and every deadline. I am thankful I had a great team (Nestor and Ryan) to write a book with. Having a great team makes the impossible seem possible. – Ahmed Almoailu
Contributors About the authors Ryan Soper is a lead penetration tester, senior application security engineer, and veteran of the US Coast Guard. His experience includes penetration testing, application security, and IT consulting, among more, throughout his career. He’s an active member and organizer of the DefCon813 chapter, a member of the OWASP Tampa chapter, and enjoys connecting with others throughout the community at conferences or other various networking events. He can be contacted at ryans.wapt@gmail. com or followed on Twitter at @soapszzz. Ryan is an ambassador for the Innocent Lives Foundation (ILF), a group of hackers that work with law enforcement to protect children from online predators. Your support will help the team to continue their important work. I urge you to consider making a donation to the ILF at https:// www.innocentlivesfoundation.org/donate/. I am deeply honored to present this book to you, and I could not have done so without my family’s unwavering love and support. My beautiful bride, Victoria, and my beloved daughter, Noelle, have been my constant source of inspiration and motivation throughout the many late nights and long absences required of my military and professional pursuits. Their love has been my anchor, and their presence is a constant reminder of what truly matters in life. I am forever grateful to them and dedicate this book to them, my soulmates.
Nestor N Torres is a senior application security engineer and web application penetration tester. His experience includes application security, IT consulting, penetration testing, and mobile penetration testing. He is an active member and organizer of the DefCon813 chapter and OWASP Tampa chapter, who enjoys helping new colleagues interested in joining the cyber security field. You can find him at his local BSides in Orlando and Tampa and other conferences such as Defcon and OWASP events. He can be contacted at [email protected] or followed on Twitter at @n3stortorres. I am deeply grateful to my family for supporting and encouraging me to follow my dream. I am also thankful to the team that worked with me in Ybor City, Tampa, who played a crucial role in my cyber security and hacking journey. These people took a chance on me, giving me my first opportunity in the cyber security field, which opened the door to a vibrant community of like-minded individuals who have helped shape my career. Additionally, I am forever grateful to Sunny Wear, who introduced me to the world of web application security testing and continuously challenged me to grow and learn within the field. Without their guidance and support, I would not have found my passion in this exciting and everevolving field. My deepest gratitude for their impact on my career and this book is dedicated to them.
Ahmed Almoailu is a cyber security engineer with years of experience in vulnerability management, risk management, network security, cloud security, and endpoint security. He has a Master of Science in Cybersecurity and a Bachelor of Science in computer information systems from Saint Leo University and is currently working in healthcare. He is a member of the DefCon813 chapter and participates in security events in the community. Ahmed holds CASP+, Security+, Certified Ethical Hacker (CEH), eJPT, and AWS Cloud Practitioner certifications. Ahmed can be contacted at ahmed.wapt@ gmail.com. It is with the utmost gratitude and appreciation that I dedicate this book to my family. My father, Shawqi H. Almoailu, my mother, and my sisters have been my greatest supporters and guides throughout my life. Their trust, belief, and guidance have been invaluable to me and have helped shape the person I am today. I am eternally grateful for the love and values they have instilled in me; without them, I would not be where I am today. This book is a testament to their unwavering support and encouragement. Thank you.
About the reviewers Jonathan Singer is a career cybersecurity practitioner with almost two decades of experience. In the prior role, he secured web applications at scale in large data centers delivering hundreds of thousands of websites and hosted services. Today, Jonathan holds a master’s degree in cybersecurity and architects enterprise security solutions for Fortune 500 companies. You can often find him on stage at local security conferences as a guest speaker or helping attendees as a Goon at DEF CON.
Steve Raslan is an expert Application Security Engineer and Software Developer with a ComptiaTIA Security+ certificate and a Cyber & Network Security certificate from the prestigious Georgia Tech. Steve comes with a multitude of years within software security architecture and design, code security reviews & secure coding principles and is highly versed in OWASP vulnerability management and remediation. He has a proven ability at developing micro-automation solutions that automate application security tasks as well as providing developer-friendly cross platform application security solutions.
Disclaimer The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with properly written authorizations from the appropriate persons responsible.
Table of Contents Preface
xvii
1 Getting Started with OWASP Zed Attack Proxy Downloading ZAP
2
1
Setting up a browser proxy and certificate
16
Getting ready How to do it... How it works...
16 16 22
Getting ready How to do it... Installing Docker See also
2 2 11 11
Setting up the testing environment
12
Testing the ZAP setup
22
Getting ready How to do it... How it works... There’s more...
12 12 16 16
Getting ready How to do it... How it works...
22 22 23
2 Navigating the UI
25
Technical requirements Persisting a session
25 26
There’s more…
28
Getting ready How to do it… How it works…
26 26 27
Toolbar
28
Menu bar
27
Getting ready How to do it… How it works… See also
28 28 30 31
Getting ready How to do it… How it works…
27 27 27
The tree window
31
Getting ready
31
x
Table of Contents How to do it… How it works…
31 33
How to do it… How it works…
41 41
Workspace window
33
Encode/Decode/Hash dialog
41
Getting ready How to do it… How it works…
33 34 35
Information window
35
Getting ready How to do it… How it works… See also
42 42 44 44
Getting ready How to do it… How it works… There’s more…
35 35 40 40
Fuzzing with Fuzzer
44
Getting ready How to do it… How it works… There’s more… See also
44 44 50 50 50
Footer40 Getting ready
40
3 Configuring, Crawling, Scanning, and Reporting Technical requirements Setting scope in ZAP
51 52
Getting ready How to do it… How it works…
52 52 53
Crawling with the Spider
53
Getting ready How to do it… How it works…
53 53 57
Crawling with the AJAX Spider
58
Getting ready How to do it… How it works… There’s more… See also
58 58 62 62 63
Scanning a web app passively
64
Getting ready How to do it…
64 64
51
How it works… There’s more… See also
65 65 66
Scanning a web app actively
66
Getting ready How to do it… How it works… There’s more… See also
66 66 71 71 71
Generating a report
71
Getting ready How to do it… How it works… See also
71 71 77 77
Table of Contents
4 Authentication and Authorization Testing Technical requirements 79 Testing for Bypassing Authentication 79
79
Testing Directory Traversal File Include88
Getting ready How to do it… How it works…
80 80 82
Testing for Credentials Transported over an Encrypted Channel
Getting ready How to do it… How it works… See also
88 88 90 90
82
Getting ready How to do it… How it works…
83 83 84
Testing for Privilege Escalation and Bypassing Authorization Schema
91
Testing for Default Credentials
84
Getting ready How to do it… How it works…
91 91 94
Getting ready How to do it… How it works… There’s more… See also
84 84 87 88 88
Testing for Insecure Direct Object References95 Getting ready How to do it… How it works… There’s more…
95 95 96 96
5 Testing of Session Management
97
Technical requirements
97
Testing for logout functionality
Mutillidae setup
97
Getting ready How to do it... How it works... There’s more... See also
Testing for cookie attributes Getting ready How to do it... How it works...
100 100 101 103
Testing for cross-site request forgery (CSRF)103 Getting ready How to do it... How it works...
103 104 107
Testing for session hijacking Getting ready How to do it... How it works... There’s more... See also
107 107 107 111 111 111
111 111 112 113 114 114
xi
xii
Table of Contents
6 Validating (Data) Inputs – Part 1 Technical requirements Testing for reflected XSS Getting ready How to do it… How it works… There’s more… See also
Testing for HTTP verb tampering Getting ready How to do it… How it works… There’s more… See also
115 116
115 Testing for HTTP Parameter Pollution (HPP)
116 116 117 117 118
Getting ready How to do it… How it works… See also
118
Getting ready How to do it… How it works… There’s more… See also
119 119 122 122 123
Testing for SQL Injection
123 123 123 126 126
126 127 127 131 131 132
7 Validating (Data) Inputs – Part 2 Technical requirements Testing for code injection Getting ready How to do it... How it works...
Testing for command injection Getting ready How to do it... How it works... There’s more... See also
133 133 134 134 137
137 138 138 141 141 142
133 Testing for server-side template injection142 Getting ready How to do it... How it works... There’s more... See also
142 143 146 146 146
Testing for server-side request forgery147 Getting ready How to do it... How it works... There’s more... See also
147 147 152 153 153
Table of Contents
8 Business Logic Testing Technical requirements Test ability to forge requests Getting ready How to do it… How it works… See also
Test for process timing Getting ready How to do it… How it works… See also
155 155 156 156 156 159 159
159 159 160 168 169
Testing for the circumvention of workflows169 Getting ready How to do it… How it works... See also
Testing upload of unexpected file types with a malicious payload Getting ready How to do it… How it works... See also
169 169 171 171
172 173 173 175 176
9 Client-Side Testing
177
Technical requirements 178 Testing for DOM-based cross-site scripting178 Getting ready How to do it... How it works... There's more...
Testing for JavaScript execution Getting ready How to do it... How it works... There's more...
Testing for HTML injection Getting ready How to do it... How it works... There's more...
178 178 180 180
182 182 182 186 186
186 186 186 187 188
Testing for client-side URL redirect Getting ready How to do it... How it works... There's more...
189 190 190 193 193
Testing cross-origin resource sharing 194 Getting ready How to do it... How it works... There's more...
Testing WebSockets Getting ready How to do it... How it works... There's more... See also
194 194 198 198
199 199 199 202 202 203
xiii
xiv
Table of Contents
10 Advanced Attack Techniques Technical requirements Performing XXE attacks Getting ready How to do it... How it works...
Working with JSON Web Tokens Getting ready How to do it... How it works... There’s more...
205 205 205 206 206 207
208 208 208 211 211
Performing Java deserialization attacks211 Getting ready How to do it...
212 212
How it works... There’s more... See also
214 214 214
Password brute-force via password change214 Getting ready How to do it... How it works... See also
Web cache poisoning Getting ready How to do it... How it works... See also
215 215 218 219
220 220 220 225 225
11 Advanced Adventures with ZAP Technical requirements How to use the ZAP GUI local API to scan a target Getting ready How to do it… How it works…
227
Utilizing ZAP DAST testing with Jenkins235
228
Getting ready How to do it… How it works… There’s more… See also
228 228 230
How to use the ZAP API via Docker 231 Getting ready How to do it… How it works… There’s more… See also
227
231 231 233 233 234
235 235 241 242 242
Installing, configuring, and running the ZAP GUI OAST server 242 Getting ready How to do it… How it works… There’s more… See also
242 243 246 246 247
Table of Contents
Index
249
Other Books You May Enjoy
256
xv
Preface Welcome to the world of Open Web Application Security Project Zed Attack Proxy (OWASP ZAP), a powerful and versatile tool for web application security testing. OWASP ZAP, or Zed Attack Proxy, is an open source tool developed by the Open Web Application Security Project (OWASP) community. It was first released in 2010 and has since become one of the most popular and widely used web application security testing tools in the world. OWASP ZAP is designed to help security professionals and hackers identify and exploit vulnerabilities in web applications. It can be used to perform both automated and manual testing, making it a versatile tool that can be tailored to suit the needs of any organization. The tool’s features include an easy-to-use interface, a wide range of built-in security checks, and the ability to integrate with other security tools. One of the key benefits of OWASP ZAP is its open source nature. This means that the tool is constantly being updated and improved by the OWASP community, making it one of the most comprehensive and up-to-date web application security testing tools available. Additionally, the large and active community behind the tool means that there are plenty of resources available to help users get the most out of it. In this book, we will explore the features and capabilities of OWASP ZAP in depth, providing a comprehensive guide to using the tool to identify and exploit vulnerabilities in web applications. Whether you are a security professional, a developer, or a hacker, this book will provide you with the knowledge and skills you need to effectively use OWASP ZAP to secure your web applications. In conclusion, OWASP ZAP is a powerful and versatile tool that can be used by anyone looking to identify and exploit vulnerabilities in web applications. With its open source nature, active community, and range of built-in security checks, it is an excellent choice for anyone looking to secure their web applications.
Who this book is for OWASP ZAP is primarily for web application security professionals, developers, educators, and hackers. It is a powerful tool that can be used to identify and exploit vulnerabilities in web applications, making it an important tool for anyone who is responsible for the security of web-based systems. It’s worth noting that while OWASP ZAP can be used to identify and exploit vulnerabilities, it is not intended to be used to carry out malicious attacks or compromise systems without permission. The tool is designed to help organizations identify and fix vulnerabilities in their web applications, not to facilitate unauthorized access or other malicious activities. Therefore, it is important that users of the tool understand and adhere to ethical hacking principles when using the tool.
xviii
Preface
What this book covers Chapter 1, Getting Started with OWASP Zed Attack Proxy, introduces you to ZAP, its maintenance within the OWASP organization, its purpose in penetration testing, and how to install and configure it on various platforms, set up a basic lab environment, and use it for testing. Chapter 2, Navigating the UI, explains how to locate and use various windows, tools, and features in ZAP for penetration testing, such as setting a target, manually exploring an application, modifying responses, and testing specific parameters with payloads. Chapter 3, Configuring, Crawling, Scanning, and Reporting, teaches you how to configure and use the crawling, scanning, and reporting features of ZAP, understand how these sections work, set up project settings to assess an application, and customize the user options for a personalized experience. Chapter 4, Authentication and Authorization Testing, shows you how to test and bypass authentication and authorization mechanisms, including intercepting and using default credentials, bypassing authentication, testing for default credentials, exploiting directory traversal attacks, escalating privileges, and testing for insecure direct object references. Chapter 5, Testing of Session Management, teaches you how to manipulate the mechanism that controls and maintains the state for a user interacting with an application, covering topics such as testing cookie attributes, cross-site request forgery, exploiting logout functionality, and session hijacking. Chapter 6, Validating (Data) Inputs – Part 1, explores the most common types of web application security weaknesses, such as cross-site scripting, HTTP verb tampering, HTTP parameter pollution, and SQL injection, and how to exploit them using ZAP. Chapter 7, Validating (Data) Inputs – Part 2, discusses the advanced types of web application injection attacks, such as code injection, command injection, server-side template injection, and server-side request forgery, and how to exploit them using ZAP. Chapter 8, Business Logic Testing, delves into unconventional methods for testing business logic flaws in a multifunctional dynamic web application, including forging requests, testing process timing, testing functionality limits, the circumvention of workflows, and uploading unexpected file types with malicious payloads. Chapter 9, Client-Side Testing, covers client-side testing and the attack scenarios that come up against it, such as DOM cross-site scripting, JavaScript execution, HTML injection, URL redirect attacks, cross-origin resource sharing vulnerabilities, and the exploitation of web sockets. Chapter 10, Advanced Attack Techniques, explores several additional advanced attacks, such as performing XXE, the exploitation of Java Web Tokens (JWT), Java deserialization, and web-cache poisoning. Chapter 11, Advanced Adventures with ZAP, teaches you about other features and functionalities that ZAP has, such as running dynamic scans via the local API, running ZAP as a dynamic scan in a CI pipeline, and integrating and using the built-in OWASP application security out-of-band server for testing.
Preface
To get the most out of this book To get the most out of Zed Attack Proxy Cookbook, you should keep informed and use the community resources. OWASP ZAP is an open source tool that is constantly being updated and improved, so it’s important that you stay up to date with the latest version. Also, the OWASP community is very active, and there are a lot of resources available that can help you get the most out of the tool. Software/hardware covered in the book
Operating system requirements
Java
Windows, macOS, or Linux
Docker Desktop/Docker Compose
Windows, macOS, or Linux
OWASP Juice-Shop
Windows, macOS, Linux, or Docker
Mutillidae II
Windows, macOS, or Linux
Jenkins
Windows, macOS, Linux, or Docker
If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code. In addition, with ZAP, practice makes perfect. ZAP is a tool designed to help organizations identify and fix vulnerabilities in their web applications, and in the world of the web, the various methods and combinations that developers use to design, build, and implement is infinite. Practicing and seeing how web applications are put together will only make you a stronger web application penetration tester with ZAP.
Download the example code files You can download the example code files for this book from GitHub at https://github.com/ PacktPublishing/Zed-Attack-Proxy-Cookbook. If there’s an update to the code, it will be updated in the GitHub repository. We also have other code bundles from our rich catalog of books and videos available at https:// github.com/PacktPublishing/. Check them out!
Download the color images We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/oBhpt.
xix
xx
Preface
Conventions used There are a number of text conventions used throughout this book. Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system.” A block of code is set as follows: pipeline { agent any parameters { choice(name: "ZAP_SCAN", choices: ["zap-baseline. py", "zap-full-scan.py"], description: "Parameter to choose type of ZAP scan") string(name: "ENTER_ When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
Testing for client-side URL redirect
• Redirecting users: An attacker could inject JavaScript code into a web page that redirects users to a malicious website. For example, the attacker could inject code that changes the value of the location property in the browser, causing the user to be redirected to a phishing site that mimics a proper site:
• Phishing: An attacker may inject JavaScript code into a web page to direct users to a malicious website. For instance, the attacker may include code that alters the location field’s value and directs the visitor to a phishing web page that perfectly resembles a legitimate website:
• SQL injection: An attacker could insert SQL queries into a web application, which could give them unauthorized access to the database and allow them to extract, change, or remove data. For instance, the attacker may insert code that returns all the information from the users table, such as UNION SELECT * FROM users":
Testing for client-side URL redirect URL redirect attacks (open redirection) occur when applications allow untrusted user input where an attacker serves a user a hyperlink. This hyperlink then sends them to an external URL that’s different from the intended web page the user was attempting to access. In layman’s terms, it’s when an attacker sends a user from the current page to a new URL.
189
190
Client-Side Testing
Getting ready This lab requires a PortSwigger Academy account and ZAP to intercept requests and responses from the server to your browser.
How to do it... In this recipe, the lab uses open authorization (OAuth) services to authenticate the fake social media account. You, the attacker, will exploit a misconfiguration in OAuth to steal authorization tokens linked to another user’s account to gain access and remove a user, Carlos: 1. Navigate to the URL with the browser proxied to ZAP and log into the PortSwigger Academy website to launch the lab (https://portswigger.net/web-security/oauth/ lab-oauth-account-hijacking-via-redirect-uri). 2. First, ensure you are capturing requests in ZAP. Then click on My account and use the credentials provided to log in via OAuth. A message on the web page will indicate that you are being redirected. In addition, in the URL, you will see that you are using OAuth (shown in Figure 9.9):
Figure 9.9 – The OAuth URL
3. Log out by clicking My Account and then log back in again. You’ll notice you are logged in immediately. This is because there is still an active session with the OAuth service; therefore, you don’t need to provide a username and password to re-authenticate. 4. In ZAP, look in the History tab, where the most recent OAuth request can be found. Begin by typing GET /auth?client_id=[...]. You are immediately redirected to redirect_uri after this request has been sent together with the authorization code in the request message (see Figure 9.10):
Figure 9.10 – Authorization request
Testing for client-side URL redirect
5. Right-click and open this /auth?client_id= request in Manual Request Editor. 6. In this request (see Figure 9.11), you can send any random value as the redirect_uri without causing errors. This is the parameter that you’ll use to create the malicious redirect URL:
Figure 9.11 – The redirect_uri manipulation
7. Next, input the exploit server Uniform Resource Identifier (URI) as redirect_uri. Then right-click and copy the request URL. Enter this URL into the browser address bar, and press enter to send the request. You’ll see the web page open with the default message that was in the body on the exploit server page; Hello world!. 8. Look back inside the exploit server’s access log, and you’ll see that there’s a log entry with your authorization code. This lets you know that the authorization code is leaking to an external domain (see Figure 9.12):
Figure 9.12 – The exploit server access log with the authorization code
9. Now hold on to that same URL but go back to the main exploit server page and paste this into an iframe (see the following code snippet) of the body: OAUTH-ID, CLIENT-ID (the OAuth ID from when you first logged in), and EXPLOIT-ID (the ID of the exploit server) are correct:
191
192
Client-Side Testing
10. Next, click Store at the bottom to upload the exploit. Once this is done, do not click View exploit but copy the entire URL from src" ", open a new browser tab, paste the URL into the address bar, and navigate to it. Again, as before, this will open an iframe that shows the exploit server web page inside. 11. Close the browser tab and go back to the exploit server and check the Access log. You’ll see the log shows a GET /?code= request with a newly generated code, as seen in Figure 9.13. This is your code but it will allow you to understand whether the exploit is working:
Figure 9.13 – The access logs of the iframe payload
12. Deliver the same exploit to the victim, then go back to the Access Log and look for a newly generated code from a different IP address. Copy the victim’s code from the result in the log: Important note If there’s a dash (-) at the end of the code string, be sure to copy this dash along with the entire code.
Figure 9.14 – The victim payload response
13. Log out of the entire website first and with the new captured code, craft a new oauth-callback URL and paste it into the address bar of the browser and navigate to it: https://LAB-ID.web-security-academy.net/oauthcallback?code=STOLEN-CODE 14. OAuth will auto-complete authentication and log you in as the administrator. 15. Go to the Admin panel. 16. Delete Carlos.
Testing for client-side URL redirect
How it works... The OAuth 2.0 framework is a very common tool used for authentication, yet it is common for vulnerabilities to occur due to misconfigurations. One essential component of the OAuth flow is redirect URLs. The authorization server will direct the user back to the application once the user has successfully authorized a certain application. It is essential that the service does not reroute the customer to random places since the redirect URL includes crucial information. OAuth providers are a prime target for phishing attacks since they fail to validate redirect_uri when delivering the access_token through the browser redirect. In this attack, the threat actor provides the target with a URL to a trusted authentication portal, and by using this authentication portal, the malicious user can send the victim’s secret access_token to their controlled web server, which allows the attacker access to unintended resources.
There's more... Users can offer access to their resources (i.e., data or an API) to a third-party application using the OAuth protocol without disclosing their login information. The following three key elements generally make up the OAuth authentication process: • The client application: This is a third-party program that seeks to gain access to the user’s resources. It must be registered with the OAuth provider and be equipped with a client ID and secret. • The authorization server: This is the server responsible for managing the user’s resources and authenticating the user. It is normally managed by the OAuth provider (such as Google, Facebook, Twitter, Linkedin, Windows Live, etc.) and is in charge of providing client application access. • The resource owner: This is the user who has access to the resources that the client application wishes to use. The resource owner must provide the client application access to their resources. The client application redirects the user to the authorization server’s login page during the OAuth authentication procedure. After that, the user inputs their login information and gives access to the client application. The authorization server then refers the user back to the client application, providing the client with an access token to access the user’s resources. Important note Additional components, such as the resource server, which stores the user’s resources, and the token endpoint, which gives the access token, may be included in some implementations of OAuth.
193
194
Client-Side Testing
After a user grants access to a client application, an attacker can send them to a malicious website using an OAuth redirection attack (also called an open redirection attack). This can be accomplished by fooling the user into clicking on a link containing a malicious redirect URI or changing the redirect URI that the client application uses. The attacker can take the access token and use it to access the user’s resources once the user has been forcibly redirected to the malicious website. Here is a simplified example of an attacker’s URL string that could be used to execute this type of attack: https://legitimate-oauth-provider.com/authorize?redirect_ uri=https://attacker-controlled-website.com/redirect The redirect URI of the client application, the authorization endpoint of the legal OAuth provider, and a query parameter pointing to the attacker’s website are all included in this example’s URL string. The attacker’s website will serve as the redirect URI when the victim clicks the link, which causes their browser to submit a request with this URL string to the authentic OAuth provider’s website.
Testing cross-origin resource sharing To understand cross-origin resource sharing (CORS) vulnerability, first, you have to understand the same-origin policy. The same-origin policy was created to restrict the ability of websites to access resources that are not from the source domain. Although for some websites the same-origin policy is a problem, many websites nowadays interact with subdomains or third-party websites that need cross-origin exceptions. CORS was created to resolve this issue.
Getting ready This lab requires a PortSwigger Academy account and ZAP to intercept requests and responses from the server to your browser. The login credentials for the lab web application are as follows: • Username: wiener • Password: peter
How to do it... In this recipe, the lab introduces a vulnerable website with an insecure CORS configuration to trust all origins. To solve this, we’ll form a malicious JavaScript function using CORS to retrieve an administrator’s API key and then upload the code to the server.
Testing cross-origin resource sharing
Take the following steps to get started: 1. Navigate to the URL with the browser proxied to ZAP and log into the PortSwigger Academy website to launch the lab (https://portswigger.net/web-security/cors/lab-basic-originreflection-attack). 2. Fire up ZAP and ensure you use either the manual explorer and launch the Firefox browser or have a browser extension tool enabled for proxying the page. 3. Once the lab loads and you reach the homepage of the application, click My Account. Use the credentials provided to log in and access the Account page. 4. Review the history and look at the response header (see Figure 9.15), which will have your key that was retrieved by an AJAX request to /accountDetails. Within the same response, you will see the Access-Control-Allow-Credentials header. This lets us know it may be CORS:
Figure 9.15 – The API key response header
5. Next, right-click the request and open it in Manual Request Editor. Then resubmit the request with the added header (see Figure 9.16): origin: https://zaprules.com
195
196
Client-Side Testing
Here, we see the origin header where we inputted our domain reflected back to us:
Figure 9.16 – Added origin header
6. You’ll see that the URL we entered as origin is reflected back in the Access-ControlAllow-Origin header:
Figure 9.17 – The response header showing origin
7. In the lab at the top of the browser, click Go to exploit server and enter the following payload HTML script. Be sure to replace with your unique lab URL that generates when you first start the lab:
In Figure 9.18, we see the lab header, which shows the Go to exploit server button and the Submit solution button to solve the lab:
Figure 9.18 – Link to the exploit server
8. Click View exploit at the bottom of the page. This will help ensure that the exploit works and that you have landed on the log page with your API key in the URL, as shown in Figure 9.20:
Figure 9.19 – View exploit logs
9. Go back to the exploit server and first click Store, then click Deliver exploit to victim to send the exploit:
Figure 9.20 – The Deliver exploit to victim button
197
198
Client-Side Testing
10. After sending the exploit, click Access log to retrieve the administrator’s API key from the /log?key= log entry. For an easier way of searching, look at the IP address in the left column:
Figure 9.21 – The Admin’s API key
11. To complete, use the Submit solution button that’s at the top of the lab web page. It can be seen from either the main lab page or when osn the exploit server page.
How it works... CORS allows websites to request resources from other websites by utilizing HTTP headers to set the allowed origins. The headers used by CORS are Access-Control-Allow-Origin and Access-Control-Allow-Credentials. Access-Control-Allow-Origin has three values, which are: a wild card (*) that allows all origins, that specifies only one origin, and null, which is used for multiple reasons, some of them are when the website is receiving crossorigin redirects or using file: protocol. The Access-Control-Allow-Credentials header only takes a true value and is used to send authentication information. This vulnerability arises as a result of misconfiguration. Misconfiguration could be but is not limited to, allowing all origins or accepting all origins ending in a specific string, such as zapproxy.com. An attacker could register attackersitezapproxy.com, and this origin will be accepted. The impact of CORS vulnerabilities depends on which header is set and the information that the website provides. If the Access-Control-Allow-Credentials is set to true, an attacker could extract authentication information from the website.
There's more... CORS attacks can be used with other forms of attacks to exploit additional vulnerabilities in a targeted server. Here are some types of attacks that may be combined with CORS: • XSS: A CORS attack can be used by an attacker to circumvent the same-origin policy and inject malicious code into a website, allowing them to steal sensitive information from website visitors • CSRF: An attacker can employ a CORS attack to fool a server into believing that a request is coming from a trustworthy source, allowing them to undertake activities on behalf of a genuine user
Testing WebSockets
• Phishing: An attacker can use a CORS attack to generate a bogus login page on a malicious website and then use the CORS attack to access the user’s personal information after their credentials are entered An attacker often initiates these sorts of attacks by modifying the request headers to fool the server into thinking the request is coming from a trustworthy origin, generating phony login pages, or injecting malicious code. The attacker must also be able to steal the authentication tokens or obtain the sensitive data that is being exposed.
Testing WebSockets WebSockets are an ongoing, two-way channel of communication between a client and backend service, such as a database or an API service. WebSockets may transmit any number of protocols and offer server-to-client message delivery without polling (the process of one program or device repeatedly checking the status of other programs or devices).
Getting ready This lab requires a PortSwigger Academy account and ZAP to intercept requests and responses from the server to your browser. Before starting the lab, within ZAP, go to Tools, Options, and scroll down to the WebSockets section. Here you must enable Break on enabled ‘all request/response break buttons’. Otherwise, you will not be able to capture the WebSocket request and manipulate it to complete this lab.
How to do it... WebSockets are being used to implement the live chat feature in this online store. In this recipe, a fictitious support representative, aka a bot, will read the chat message requests you send. While interpreting the responses, we’ll use a WebSocket message to create an alert() popup on the support agent’s browser. If successful, it will automatically complete the lab. Take the following steps to get started: 1. Navigate to the URL with the browser proxied to ZAP and log into the PortSwigger Academy website to launch the lab (https://portswigger.net/web-security/websockets/ lab-manipulating-messages-to-exploit-vulnerabilities). 2. Within ZAP, enter the scoped URL into the manual explorer and launch the browser to open up Firefox. Click Continue to your target. 3. In the upper right-hand corner of the web application, click Live chat and send a random chat message.
199
200
Client-Side Testing
4. Go to the WebSockets History tab in ZAP, and look for the chat message that you previously sent in the original WebSocket message (see Figure 9.22):
Figure 9.22 – The WebSockets History tab
5. Back within the application, send another new message, but this time containing a less-than character: < 6. Look back in the ZAP WebSocket history to find the corresponding WebSocket message and observe that the less-than symbol has been converted to HTML-encoded by the client before sending, as in Figure 9.23:
Figure 9.23 – HTML-encoded less-than character
7. Again, send another chat message, but this time set a breakpoint, and while your message is in transit, manipulate the request to contain the following payload:
Testing WebSockets
Important note If the Live Chat feature of the web application stops working or the chat says Disconnected, open a new Live Chat to continue the recipe. 8. The browser will trigger an alert, which will also happen on the support agent’s client side:
Figure 9.24 – A JavaScript alert
In the first screenshot, you see the alert box pop up on the client side. Over in the chat message in Figure 9.25, you see a blank HTML icon for the image tag. This is our malicious payload:
Figure 9.25 – A successful attack shown in a chat
201
202
Client-Side Testing
How it works... According to RFC 6455, the WebSocket Protocol enables two-way communication between a client running erroneous code in an organized element and a remote host that has granted permission for communications from that code. This uses the origin-based security concept, widely utilized by online browsers. The protocol starts with a handshake and then layers the Transmission Control Protocol (TCP) with some simple message framing. This technology’s objective is to give browser-based applications that require two-way communication with servers a method of doing so without having to initiate several HTTP connections (that is, by utilizing XMLHttpRequest or s and lengthy polling). Important note Some assaults may result in the loss of your connection, in which case you must create a new one. Practically any web security flaw may occur in regard to WebSockets: • Improper handling of user input when transferred to the server creates flaws such as SQL injection or XML external entity (XXE) injection • Blind WebSocket vulnerabilities may need to be exploited through out-of-band (OAST) methods • XSS or other client-side vulnerabilities may result if attacker-controlled data is sent over WebSockets to other application users
There's more... When initializing your methodology before attacking a WebSocket, look at the JavaScript files or the page’s source code to discover the WebSocket endpoints. Look for the following in the JavaScript code: • wss:// • ws:// • websocket A WebSocket URL will be formatted as wss://example.com (wss:// for a secure socket layer (SSL) connection). Similar to https://, and ws://, which is like http://.
Testing WebSockets
Next, to determine whether the WebSocket endpoint is accepting connections from other origins within ZAP, examine the connections. Send a request from the Manual Request Editor with your origin specified in the origin header value. If the connection is successful, the server will reply with a status code 101, and your requested origin will be mirrored or notated with a wildcard (*) in the origin header of the response.
See also RFC6455: The WebSocket Protocol: https://www.rfc-editor.org/rfc/rfc6455
203
10 Advanced Attack Techniques Welcome to Chapter 10, Advanced Attack Techniques. In this chapter, we will cover some advanced attacks, such as XML external entity (XXE) attacks and Java deserialization, where we will explain and demonstrate exploiting these vulnerabilities on the testing applications. We will also have fun brute-forcing the password change on one of the applications, conducting web cache poisoning, and working with JSON Web Tokens. In this chapter, we will cover the following recipes: • Performing XXE attacks • Working with JSON Web Tokens • Performing Java deserialization attacks • Password brute-force via password change • Web cache poisoning
Technical requirements For this chapter, you need to utilize a common browser such as Mozilla Firefox. You will also utilize your PortSwigger account for access to the PortSwigger Academy labs that will be used in this chapter’s recipes.
Performing XXE attacks In an XXE attack, the attacker sends XML input that includes a reference to an external entity to an application. The XML input causes the application to behave in a manner that it was not intended to. Successful exploitation of an XXE attack can lead to an attacker viewing the content of files, exfiltrating data, server-side request forgery (SSRF), and remote code executions.
206
Advanced Attack Techniques
Getting ready This lab requires a PortSwigger Academy account and ZAP to be able to intercept requests and responses from the server to your browser.
How to do it... In this lab, we will walk through performing an XXE attack to retrieve the contents of the passwd file. Please follow these instructions: 1. Navigate to the URL with the browser proxied to ZAP and log into the PortSwigger Academy website to launch the lab. The lab we will work on in this section is Exploiting XXE Using External Entities to Retrieve Files. The link to the lab is accessed here: https://portswigger.net/ web-security/xxe/lab-exploiting-xxe-to-retrieve-files. 2. Start the lab, add it to the context, and click on Show only URLs in Scope. 3. On the lab home page, click on View details under any product. Then click on Check stock. 4. Clicking on Check stock sends a POST request to the application. Let’s find the POST request. Right-click the request and select Open/Resend with Request Editor. 5. Once the Request Editor window opens, add the following payload after the XML declaration and replace the product ID with the xxe external entity reference, as shown in Figure 10.1. Then, click Send:
Figure 10.1 – XXE attack
Performing XXE attacks
6. As you can see in the Response tab, the content of the passwd file is listed in the returned response, as shown in Figure 10.2:
Figure 10.2 – The passwd file
This concludes this lab.
How it works... An XXE attack is a type of vulnerability that can be found in applications that process XML input. This type of attack occurs when an attacker is able to inject malicious external entities into an XML document, which can then be used to compromise the security of the application or the underlying system. In an XXE attack, the attacker first creates an XML document containing a reference to an external entity, typically a remote file or resource. The attacker then submits this malicious XML document to the vulnerable application, which attempts to process it and access the external entity. This can cause the application to either crash or disclose sensitive information, such as internal network addresses or system files. In this recipe, we viewed the content of the /etc/passwd file by performing an XXE injection attack. And to perform the XXE injection attack, we changed the XML input by adding the DOCTYPE element to add the external entity that includes the passwd file path. Then the external entity was used in the productId value, which caused the application to return the passwd file content in the response, which enabled us to gather more information about the accounts in the system.
207
208
Advanced Attack Techniques
Working with JSON Web Tokens JSON Web Tokens (JWTs) are used for authentication, session handling, and authorization of data between systems. JWT vulnerabilities are usually design flaws, misconfigurations, or the use of insecure libraries. When testing for JWT flaws, the tester attempts to bypass the signature verification process, which bypasses the authentication or authorization mechanism. The information sent in the JWTs are called claims and are cryptographically signed JSON objects. Each JWT is made out of three sections; the first is a header, the second is the payload, and the third is a signature. Each section is divided by a . (dot) and encoded using base64 encoding. The header contains information about the token, the payload section includes the claims, and the signature is usually a hashed value of the header and the payload section combined and used for integrity checks. In this recipe, you will attack a misconfigured server that issues JWTs to accept unsigned tokens. To finish the lab, we will walk you through deactivating the user – Carlos – and change the session token so that you can access the admin panel.
Getting ready This lab requires a PortSwigger Academy account, a Base64 encoder/decoder, and ZAP should be able to intercept requests and responses from the server to your browser.
How to do it... In this section, we will complete the PortSwigger Academy’s JWT authentication bypass via flawed signature verification lab to demonstrate how to change the values in the JWT payload to log in as the administrator and delete a user account. Take the following steps to start the lab: 1. Navigate to the URL with the browser proxied to ZAP and log into the PortSwigger Academy website to launch the JWT authentication bypass via flawed signature verification lab (https:// portswigger.net/web-security/jwt/lab-jwt-authentication-bypassvia-flawed-signature-verification). 2. Once you access the lab, click on My account and log in with the credentials provided in the lab description. 3. Open ZAP and find the GET request to /my-account page. Right-click the request and select Open/Resend with Request Editor…. 4. You can see in the request that the cookie session is a JWT, as it is separated by a dot. The goal in this lab is to access the admin portal by manipulating the JWT cookie. We will need a Base64 encoder/decoder; in this lab, I am using CyberChef (https://gchq.github. io/CyberChef). Copy the header from the token, which is the first part before the dot and after session=. Open your favorite Base64 decoder and encode the header. Change the alg
Working with JSON Web Tokens
value from RS256 to none and encode it again, as seen in Figure 10.3. Copy the encoded value and save it so we can use it later in the lab:
Figure 10.3 – The none algorithm
5. Now, copy the payload from the JWT; it is the second part located between two dots in the token. Decode it in a Base64 decoder, and change the sub value from the username you used to administrator, as seen in Figure 10.4. Encode the payload and copy and save the encoded payload to be used in the next step:
Figure 10.4 – Changing the user account
209
210
Advanced Attack Techniques
6. In the Request Editor in ZAP, change /my-account to /admin. Delete everything after session=, and add the encoded header value we created earlier. Add a dot, then add the encoded payload value we created earlier. Add a dot after the payload. Figure 10.5 shows the values added:
Figure 10.5 – Session cookie
7. Click on Send; as you can see in the Response tab, the application responded with the Admin Panel code. 8. Open your browser, and go to the /admin page, as you can see, you can’t view the Admin page. To view the Admin page, we will have to change the cookie value. I am using Chrome to change the cookie value. I have to open Developer Tools, navigate to the Application tab, and find the cookie under Cookies. In the Value column, I double-clicked the value and pasted the JWT we created. 9. After adding the JWT we created, refresh the page. As you can see, we can view the admin page, as shown in Figure 10.6. Let’s delete the user carlos.
Performing Java deserialization attacks
Figure 10.6 – The Users page
This concludes the lab for this recipe. We have bypassed the authentication and authorization mechanism to view the admin page.
How it works... In this lab, we decoded the header of the token and changed the value of the alg attribute to none. By changing the alg attribute to none, we can bypass the verification of the signature in the token. Then, we decoded the payload and changed the value of the sub attribute to administrator to be able to use the administrator account. After that, we encoded the header and the payload and used them as our session cookie value. By doing that, we were able to bypass the authentication and authorization mechanism of the website.
There’s more... Using the none value for the alg attribute is not the only way to make the application server accept the JWT you create. Another method to bypass authentication and authorization is to find or brute force the secret key. HS256 is another alg value that uses a secret key. If an attacker finds the secret key, they could sign any JWT they create and pass it to the server. Tools such as Hashcat can brute force the secret key using a wordlist.
Performing Java deserialization attacks Java employs a process called serialization that turns an object into a byte stream. On the flip side, deserialization is the process of returning a serialized stream of bytes to an object in the machine’s memory. In this type of attack, the attacker introduces malicious data into the application code by modifying serialized objects. This attack is only possible if the website deserializes data provided by the user. If user-provided data or any data from sources you don’t trust must be deserialized, checks and safeguards must be implemented to prevent the untrusted sources from altering the data. Checks and safeguards must be done before the start of the deserialization process; otherwise, it will not be effective. Due to the difficulties in preventing deserialization attacks, data deserialization should only be used if it can’t be avoided.
211
212
Advanced Attack Techniques
Within this recipe, you will attack a susceptible serialization-based session mechanism that’s vulnerable to privilege escalation. To conduct this attack, you will edit the serialized object in the session cookie to take advantage of this flaw and gain administrator rights to remove Carlos’ account.
Getting ready This lab requires a PortSwigger Academy account and ZAP to intercept requests and responses from the server to your browser.
How to do it... The following steps walk you through solving the PortSwigger Academy Modifying serialized objects lab. In this lab, you will modify the session cookie’s serialized object to escalate your account privileges and be able to delete a user account. Please follow these instructions: 1. Navigate to the URL with the browser proxied to ZAP and log into the PortSwigger Academy website to launch the lab (https://portswigger.net/web-security/deserialization/ exploiting/lab-deserialization-modifying-serialized-objects). 2. Open ZAP and go to Manual Explorer. Enter the lab URL in the Firefox launcher. 3. Log in to the lab application using the credentials provided by PortSwigger. 4. Click the response after the login GET /my-account request, which contains a session cookie. This cookie appears to be URL and Base64-encoded. 5. To understand what data is in this string, send it over to the Encode/Decode/Hash tool by right-clicking the selected cookie value. Click the Decode tab and look at the Base64 Decode row. You’ll see the following values: O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:0;} 6. The cookie is actually a serialized PHP object. String values are always contained within double quotes. s is the size of the object followed by the object name in double quotes. At the end of the code string, the admin attribute contains b:0, indicating a Boolean value of false. Open this request in Manual Request Editor. 7. In its decoded form, open CyberChef to change the value of b:0 to b:1 to equal true and re-encode in base64 as well as URL encoded =. Insert this encoded string back into the cookie and send the request. See Figure 10.7:
Performing Java deserialization attacks
Figure 10.7 – CyberChef encoded session data
8. When you receive the response, scroll through the content of the HTML code, as shown in Figure 10.8, to find a link that shows /admin. This shows that you accessed a page with admin privileges:
Figure 10.8 – Response with the /admin path
9. In our next step, go back to the Request tab and update the GET request path to /admin, and hit Send again. You’ll receive a 200 HTTP status and then see a specific href to delete user accounts:
Figure 10.9 – /admin response
213
214
Advanced Attack Techniques
10. Update the path to include /admin/delete?username=carlos and send the request once more to complete this recipe. You may need to refresh the browser page to see the completion status of the lab.
How it works... When using Java to build objects and these objects are no longer in use, they get saved in memory to be later deleted by the garbage collector. Java must convert these objects into a byte stream before transferring that data, storing it on a disk, or transmitting it over a network. The class of that object must implement the Serializable interface in order to do this. As was already said, serialization enables us to transform an object’s state into a stream of bytes. The actual code is not included in this byte stream. A malicious user trying to introduce a changed serialized object into the system to compromise the system or its data results in a Java deserialization vulnerability.
There’s more... Java applications automatically manage their memory using a process known as garbage collection. Java applications can be executed on a Java virtual machine (JVM) by compiling to bytecode. Objects are produced on the heap, a section of memory reserved for the application when Java programs are launched on the JVM. Some objects will eventually become obsolete. To free up memory, the garbage collector discovers these useless objects and deletes them. As for the Serializable interface, this is contained within the java.io package. It is a marker interface that contains no methods or fields. Therefore, classes that incorporate it don’t need to define any methods. If classes wish to be able to serialize or deserialize their instances, they must implement it.
See also For more information on PHP serialization, visit https://www.php.net/manual/en/ function.serialize.php. For CyberChef, visit https://gchq.github.io/CyberChef/.
Password brute-force via password change A brute force attack is a cracking method that uses trial and error to compromise login information, encryption keys, and passwords. It is a simple yet effective method for gaining unauthorized access to user accounts, business systems, or networks. Until they discover the proper login details, a malicious user attempts a wide variety of usernames and password combinations to obtain the right authentication credentials. In this recipe, we will attack a vulnerable password change function within the application using brute-force attacks.
Password brute-force via password change
Getting ready This lab requires a PortSwigger Academy account and ZAP to intercept requests and responses from the server to your browser.
How to do it... In this recipe, we will demonstrate a brute-force attack by completing the PortSwigger Academy Password brute-force via password change lab to find the correct credentials. To start the lab, follow these instructions: 1. Navigate to the URL with the browser proxied to ZAP and log into the PortSwigger Academy website to launch the lab (https://portswigger.net/web-security/authentication/ other-mechanisms/lab-password-brute-force-via-password-change). 2. Download the Authentication lab passwords provided by PortSwigger to a text file on your computer. You will be using these specifically for the recipe (https://portswigger. net/web-security/authentication/auth-lab-passwords). 3. With ZAP open, go to Manual Explore, open Firefox via the launcher, and resolve the PortSwigger lab URL. Continue to the PortSwigger Authentication lab. Important note In ZAP, to view the request and response more easily, be sure to add the URL being tested to Context by right-clicking on the web URL in the Sites window and Include Site in Context, then click the bullseye to remove any other sites from view. This can be done in the History tab of the Information window and elsewhere that has a bullseye. 4. Log in to the lab application using the credentials provided and set the Breakpoint in the HUD. 5. Once logged in, you will be at the web page where you can update your current password. Here, we’ll begin to test its functionality. Keep in mind that the username is provided in the request as a hidden input.
215
216
Advanced Attack Techniques
6. We’ll mess around with this feature to enumerate correct passwords but first, let’s look at varying ways to gain different responses: A. Enter an incorrect current password followed by two matching passwords. If you enter passwords like this twice, the account will log you out and lock. Then, when attempting to log back in, you’ll get an error of being locked out for one minute, as shown in Figure 10.10:
Figure 10.10 – Locked account message
B. But if you use an incorrect current password, but the new passwords do not match, you will not be logged out and locked out. A Current password is incorrect error will appear. C. Lastly, if you use the correct, current password but you enter two different new passwords, you will get a New passwords do not match error message splashed on the web page. 7. In the History tab, open the request where you entered the correct, current password and two different new passwords in Fuzzer, as shown in Figure 10.11:
Figure 10.11 – The POST request change password
Password brute-force via password change
8. Click on Edit to change the username parameter to carlos. 9. Next, select password in the current-password parameter and click Add, Add again, and then drop down the menu to File. This will add our password list to use for brute-forcing. Ensure the other two new password parameters are different values, as shown in the previous example, Figure 10.11. 10. In the File payload, click on Select... to open your computer’s directory and navigate to where you saved the file. 11. Next, add a second payload, strings, in an empty space in the body just after the second password. Add the New passwords do not match line, check the Multiline box, click Add, then OK. Important note Adding a Stings payload type helps you grep match on content in the body of the response. Yours should have two payloads, as shown in Figure 10.12:
Figure 10.12 – Fuzzer payloads
12. Start Fuzzing.
217
218
Advanced Attack Techniques
13. The attack will run for a little and once it stops, look for a response that contains the word Reflected in the Fuzzer tab of the Information window. Sort the State column, as shown in Figure 10.13. When scrolling through the payloads, look at the body of the response for
New passwords do not match. This payload will be your password:
Figure 10.13 – Fuzzer history
14. Go back to the application in the browser, log out of the current account you’re logged into, and then log back in using the carlos username and the newly found password.
How it works... Attackers look for areas within an application to forcefully attempt numerous usernames or passwords and conduct varying techniques to do so. The four most common are as follows: • Simple brute force attacks are where attackers attempt to guess a user’s login by manually typing them in one at a time.
Password brute-force via password change
• A dictionary attack is a type of password guessing attack that inputs a list of potential passwords, consisting of swapping some of the letters with symbols or numbers and comparing it to a username of the target. Typically, this attack takes much longer to succeed and thus has a decreased likelihood of working. • A rainbow table attack comprises a database that is made up of passwords and their hash values, which are then compared against the target hash for a match. This takes less time to crack. • Hybrid attacks combine both dictionary and rainbow tables. Many of these passwords and tables come from underground sources from previous breaches being sold or passed around the internet and help form more accurate attacks on networks.
See also Other sources to help build lists can be searched for via search engines for default credentials for the technology being used, or utilize one of these links: Credentials: • https://github.com/ihebski/DefaultCreds-cheat-sheet • http://www.vulnerabilityassessment.co.uk/passwordsC.htm • https://192-168-1-1ip.mobi/default-router-passwords-list/ • https://datarecovery.com/rd/default-passwords/ • https://bizuns.com/default-passwords-list • https://github.com/danielmiessler/SecLists/blob/master/Passwords/ Default-Credentials/default-passwords.csv • https://www.cirt.net/passwords • https://www.passwordsdatabase.com/ • https://many-passwords.github.io/ Wordlists: • https://github.com/Dormidera/WordList-Compendium • https://github.com/danielmiessler/SecLists • https://github.com/kaonashi-passwords/Kaonashi • https://crackstation.net/crackstation-wordlist-password-crackingdictionary.htm
219
220
Advanced Attack Techniques
Web cache poisoning Web cache poisoning is a sophisticated technique whereby an attacker manipulates a web server and its cache functionality to send other users a malicious HTTP response. In this recipe, we’ll exploit a vulnerable lab that does not properly validate input within an unkeyed header susceptible to web cache poisoning. This attack will take advantage of the web application’s home page, where unsuspecting visitors will be open to the attack. We’ll walk you through web cache poisoning in a response that causes the visitor’s browser to execute malicious JavaScript code.
Getting ready This lab requires a PortSwigger Academy account and ZAP to intercept requests and responses from the server to your browser.
How to do it... In this section, we will lay out the steps you can take to complete the PortSwigger Academy Web cache poisoning with an unkeyed header lab and poison the cache to display the cookie. To start the lab, take the following steps: 1. Navigate to the URL with the browser proxied to ZAP and log into the PortSwigger Academy website to launch the lab: https://portswigger.net/web-security/web-cache-poisoning/ exploiting-design-flaws/lab-web-cache-poisoning-with-anunkeyed-header 2. Capture the website’s home page. To reiterate this response, refresh the web page or click the home page button. 3. Look for the GET request that is generated from the home page and open it in the Manual Request Editor, as shown in Figure 10.14:
Figure 10.14 – The GET request
Web cache poisoning
4. Next, add a cache-buster query parameter after the URL (/?cb=1337). A cache-buster header is a type of HTTP response header that is used to prevent web browsers from caching specific resources on a web page. This can be useful in situations where you want to ensure that users always see the latest version of a resource rather than a potentially outdated version that might have been stored in the browser’s cache. Cache-buster headers typically contain a unique identifier or timestamp that changes each time the resource is requested, which forces the browser to download the latest version of the resource rather than using a cached version. This can help to ensure that users always have access to the most up-to-date content on a website. Important note The process to locate vulnerable parameters to web cache poison can be automated using an extension called Parameter Digger. Refer to the See also section for reference. 5. In addition, add the X-Forwarded-Host header with any random hostname, as shown in Figure 10.15, such as zaproxy.org, and click Send.
Figure 10.15 – Cache buster query and the X-Forwarded-Host header
6. When the X-Forwarded-Host header is used, a dynamically generated reference is shown in the web app’s source code for importing a JavaScript file that’s stored at /resources/ js/tracking.js.
221
222
Advanced Attack Techniques
All the details required to find a resource are in this absolute URL, as shown in Figure 10.16:
Figure 10.16 – Dynamic URL in the web app source code
7. In addition, when looking at the response, as in Figure 10.16, the response contains the X-Cache: hit header. If you see the X-Cache: miss header, continue to click Send to get a hit:
Figure 10.17 – The X-Cache: miss response
The X-Cache header is a type of HTTP response header that is used to indicate whether a resource was served from the cache of a web server or from the origin server itself. If the header contains the value hit, the resource was served from the cache, which can be faster and more efficient than serving the resource directly from the origin server. This can be useful for improving a website’s performance by reducing the amount of data that needs to be transferred between the server and the client.
Web cache poisoning
8. With this information, click the link to go to the exploit server and update the filename to be the path to the JavaScript from the absolute URL: /resources/js/tracking.js 9. Next, enter a JavaScript XSS payload into the body and click Store to save the exploit: alert(document.cookie) 10. Again, open the GET request for the home page in Manual Response Editor and remove the cache buster parameter and then add the X-Forwarded-Host header that points to the exploit server (ensure to use your EXPLOIT-SERVER-ID that is provided in the URL on top of the exploit page): X-Forwarded-Host: EXPLOIT-SERVER-ID.exploit-server.net
Figure 10.18 – The GET request for web cache poisoning
Important note When crafting the GET request, be sure to remove the cache-buster header, and when adding the exploit server URL, do not include https:// or the trailing /.
223
224
Advanced Attack Techniques
11. Click Send, and continue sending the request until the exploit server URL is reflected in the response along with X-Cache: hit in the headers, as shown in Figure 10.19:
Figure 10.19 – A successful exploit request
12. Once you have a hit, go to the web app in the browser and refresh the page. This will load the web cache poisoned URL into the browser that triggers the alert() JavaScript payload, as shown in Figure 10.20. Important note The web cache for this lab will expire every 30 seconds. It’s important to perform the test quickly. 13. You may need to continue sending the malicious GET request, followed by refreshing the web app browser page to get the web-poisoned page to load and execute the payload:
Figure 10.20 – The XSS payload execution
Web cache poisoning
How it works... Web cache poisoning typically involves manipulating the HTTP headers of a request to a web server in such a way that the server will cache a malicious or false version of the response. For example, an attacker might send a request with a forged Last-Modified header that indicates that the response should be considered fresh and cached by the server, even if it contains malicious or false content. When subsequent requests are made to the same resource, the server will serve the poisoned response from its cache instead of requesting a fresh copy from the origin server.
See also Parameter Digger, a tool for finding parameters, is called the Param Digger. It reveals obscure, unconnected, and hidden characteristics that can help broaden the attack surface and make it simpler to uncover vulnerabilities. It employs brute-force guessing techniques to find parameters using a seed URL that has been provided here: https://www.zaproxy.org/docs/desktop/addons/ parameter-digger/.
225
11 Advanced Adventures with ZAP Here we are at the final chapter. You’ve learned about the options Zed Attack Proxy (ZAP) offers, from navigating the interface to configurations, from crawling web applications, scanning, and reporting to learning about authentication, authorization, session management, injection attacks on unvalidated inputs, as well as business logic testing, client-side attacks, and some advanced techniques. This final chapter will see a change of pace and look at other implementations and uses of ZAP. We’ll introduce you to using the OWASP ZAP GUI to start web crawling and scanning for vulnerabilities against APIs, but also how to use the API in Docker to scan web applications. We’ll also discuss and show you how to build ZAP into a Jenkins pipeline to conduct dynamic analysis of web applications, and how to install, build and configure the ZAP GUI OAST server for out-of-band vulnerabilities. In this chapter, we will cover the following recipes: • How to use the ZAP GUI local API to scan a target • How to use the ZAP API via Docker • Utilizing ZAP DAST tests in a Jenkins CI DevOps pipeline • Installing, configuring, and running the ZAP GUI OAST server
Technical requirements In this chapter, you will need to install numerous tools that will coordinate with ZAP to complete the recipes. For the API recipe, you will need to install Docker and the command-line script for the OWASP ZAP API. Docker will also be needed for the Jenkins pipeline as well as for the standalone BOAST server. In addition, we will continue to use the Mozilla Firefox browser and a fork of the GitHub Juice-shop application code. Lastly, we’ll test using the command-line tool cURL.
228
Advanced Adventures with ZAP
How to use the ZAP GUI local API to scan a target The ZAP API scan is a script included with the ZAP Docker images. It is optimized to scan APIs specified by OpenAPI, SOAP, or GraphQL through a local file or a URL. It imports the definition you give and then does an active scan of the URLs discovered. The ZAP API makes it possible to incorporate ZAP features into scripts and applications. In this recipe, we will walk through downloading the ZAP Docker image and then running it to scan against the Juice-Shop URL.
Getting ready Docker will need to be installed as well as the ZAP Docker image. Be sure that the ZAP image is able to intercept requests and responses from the server to your browser. We will also be using the command line to run the image and kick off spidering and scanning. OWASP ZAP Desktop will also be needed: https://www.docker.com/products/docker-desktop
How to do it… ZAP API-based effective automated analysis can assist in identifying emerging flaws. Using the current functional regression test suites and the ZAP Python API, OWASP ZAP will assist you in automating security tests to incorporate into the Continuous Integration/Continuous Delivery (CI/ CD) pipeline for your application. Important note The ZAP API scan is a script that is available in the ZAP Docker images. Download owasp zap docker here: docker pull owasp/zap2docker-stable. 1. Start OWASP ZAP by running the desktop executable, the zap.sh script (on Linux/macOS), or the zap.bat script (on Windows) from the Terminal: Windows: .\zap.bat Linux/Mac: ./zap.sh Cross Platform: java -Xmx512m -jar zap-2.12.0.jar Important note To run ZAP headless, use the -daemon flag. The OWASP ZAP daemon mode is a feature that allows the tool to run as a daemon, or background service, on a machine. This can be useful if you want to set up continuous scanning of a web application or want to remotely control the tool using the OWASP ZAP API.
How to use the ZAP GUI local API to scan a target
2. In the OWASP ZAP UI, open Tools then Options and go to the API tab. Note the API key, as shown in Figure 11.1, as well as the permitted IP addresses for use with the API and a few other options. You have checkboxes to enable the API and web UI (127.0.0.1:PORT/UI or /json). In addition, there are a few debug options that are only recommended for testing purposes, such as Disable the API key.
Figure 11.1 – API options
3. To get started, ensure the appropriate plugins are added from the Marketplace. OWASP ZAP supports OpenAPI, GraphQL, and SOAP. 4. To start a scan, you can simply use Automated Scan from the Quick Start menu and scan the endpoint. The only difference is to ensure that the URL has the appropriate API scope: OpenAPI: https://www.example.com/openapi.json GraphQL: https://www.example.com/graphql
229
230
Advanced Adventures with ZAP
5. The results will populate in the same Information window under the Alerts tab, as seen in Figure 11.2:
Figure 11.2 – The GraphQL Alerts results
How it works… You can interact with the ZAP API scanner using a variety of different methods to carry out a variety of tasks, such as spidering a web application to learn about its contents, looking for application vulnerabilities, or creating reports. Making HTTP requests to the ZAP API endpoint, which is made available by the active ZAP instance, is the standard procedure for using the ZAP API. Depending on how you’ve set up the tool, the endpoint will be at a particular URL. There are several ways to employ the ZAP API scanner. It allows you to scan an individual web page, an entire web application, or a collection of connected online applications. Additionally, it may be used to automate a number of security-related operations, including planning scans, creating reports, and connecting with other security solutions.
How to use the ZAP API via Docker
How to use the ZAP API via Docker Using Docker to execute and administer the ZAP application is known as running ZAP via Docker. If you want to run ZAP in a containerized environment or quickly install and operate ZAP on many machines, this can be helpful.
Getting ready You must install Docker on your computer and get the ZAP Docker image from Docker Hub in order to access the ZAP API via Docker. The image can then be run as a Docker container, and you can communicate with the container while it is running using the ZAP API.
How to do it… The ZAP application will launch inside the container when you run the ZAP Docker image. ZAP will then handle any requests sent to the running container using the ZAP API. You can interact with ZAP using a variety of different methods provided by the ZAP API, such as spidering a web application to learn about its contents, looking for application vulnerabilities, or creating reports: 1. In addition to running the API scans via the GUI, you can kick off scans using Docker via the command line. 2. To use API via the Docker command line, open a Terminal session and run Docker to pull the image off ZAP: docker pull owasp/zap2docker-stable 3. Next, after the image downloads, run Docker again but this time to create a container of ZAP that will run the ZAP API, as follows: docker run -t owasp/zap2docker-stable zap-api-scan.py -t https://www.example.com/openapi.json -f openapi
231
232
Advanced Adventures with ZAP
4. After a few moments, the command line will showcase the attacks running and whether they pass, fail, or come with other warnings, as shown in Figure 11.3.
Figure 11.3 – A Docker API scan of Juice-Shop
You will see the results at the end as well (see Figure 11.4).
Figure 11.4 – The Docker API scan results
By default, the script does the following: • Imports the specified API definition • Actively scans the API using a specific scan profile tailored for APIs • Notifies the command line of any problems discovered
How to use the ZAP API via Docker
Important note If no bugs are detected, this does not imply that your API is secure. You may need to conduct a manual penetration test.
How it works… The API provides a set of methods that can be used to perform various actions, such as starting and stopping a scan, setting the target for the scan, and retrieving the results of the scan. To use the OWASP ZAP API, you will need to make HTTP requests to the API endpoint, which is typically hosted on the same machine as the ZAP application. The API uses a Representational State Transfer (RESTful) design, which means that you can use standard HTTP methods (such as GET, POST, PUT, and DELETE) to perform different actions. When you use the OWASP ZAP API to start a scan, the tool will begin to crawl the target web application and perform various types of tests to identify vulnerabilities. These tests can include looking for SQL injection (SQLI) vulnerabilities, cross-site scripting (XSS) vulnerabilities, and other types of vulnerabilities that can be exploited by attackers. Once the scan is complete, the OWASP ZAP API will provide a report detailing any vulnerabilities that were identified. The report will typically include information about the type of vulnerability, the location of the vulnerability within the application, and any recommendations for how to fix the vulnerability.
There’s more… In addition to using the OWASP ZAP API through HTTP requests, there are also a number of client libraries and language bindings available that make it easier to use the API in different programming languages. These libraries provide a set of functions and methods that you can use to make API calls and interact with the ZAP tool, rather than having to manually construct and send HTTP requests. For example, client libraries are available for languages such as Python, Java, and C#, allowing you to utilize the OWASP ZAP API in your own programs. Using these libraries can make integrating the ZAP tool into your own application or process easier, as well as save you time by handling the intricacies of performing API calls and analyzing the answers. There are also a number of other ways that you can use the OWASP ZAP API, depending on your specific needs. For example, you can use the API to automate security testing as part of a CI/CD pipeline, or integrate the ZAP tool into a custom security tool or platform. You can also use the API to perform scans regularly or in response to specific events, such as the deployment of new code to a production environment.
233
234
Advanced Adventures with ZAP
See also When running the API script, here are some more command options for use with the ZAP API: Options: -c config_file config file for INFO, IGNORE or FAIL warnings -u config_url URL config file for INFO, IGNORE or FAIL warning -g gen_file generate default config file(all rules set to WARN) -r report_html file to write the full ZAP HTML report -w report_md file to write the full ZAP Wiki(Markdown) report -x report_xml file to write the full ZAP XML report -a include the alpha passive scan rules as well -d show debug messages -P specify listen port -D delay in seconds to wait for passive scanning -i default rules not in the config file to INFO -l level minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs -n context_file context file which will be loaded prior to scanning the target -p progress_file progress file which specifies issues that are being addressed -s short output format - don't show PASSes or example URLs -z zap_options ZAP CLI options (-z "-config aaa=bbb -config ccc=ddd") For more information, visit the following links: • OWASP ZAP official documentation: ZAP – API Scan: https://www.zaproxy.org/ docs/docker/api-scan/ • OWASP ZAP official documentation: Options API screen: https://www.zaproxy.org/ docs/desktop/ui/dialogs/options/api/ • OWASP ZAP official documentation: Scanning APIs with ZAP: https://www.zaproxy. org/blog/2017-06-19-scanning-apis-with-zap/ • OWASP ZAP official documentation: Exploring APIs with ZAP: https://www.zaproxy. org/blog/2017-04-03-exploring-apis-with-zap/ • OWASP ZAP official documentation: Why is an API key required by default?: https://www. zaproxy.org/faq/why-is-an-api-key-required-by-default/
Utilizing ZAP DAST testing with Jenkins
• OWASP ZAP official documentation: How can I connect to ZAP remotely?: https://www. zaproxy.org/faq/how-can-i-connect-to-zap-remotely/ • OWASP ZAP official FAQ documentation on how to use the ZAP API: https://www. zaproxy.org/faq/how-can-you-use-zap-to-scan-apis/ • A GitHub Action for running the OWASP ZAP API scan: https://github.com/ marketplace/actions/owasp-zap-api-scan
Utilizing ZAP DAST testing with Jenkins Jenkins is an open source CI/CD technology that aids in the automation of the software development process. Jenkins allows developers to seamlessly merge code changes and automatically create, test, and deploy applications, making the software development process more efficient and dependable. Jenkins is extensively used by teams of all sizes to automate their software delivery processes, and it is easily customizable to meet the demands of each project. In this context, the OWASP ZAP is a Dynamic Application Security (DAST) vulnerability detection tool for web applications. It can be linked to a Jenkins pipeline to automate security testing as part of the CI/CD process.
Getting ready This recipe requires the installation of Jenkins and Docker on an Ubuntu 22.04 virtual machine. Ensure Juice-Shop is running locally to scan against it. Important note If you are running Jenkins on a local system, you must offer access rights/permissions to owners, normal users, and non-users with the sudo chmod 777 /var/run/docker. sock Terminal command. The script will not operate unless you provide access to owners, normal users, and non-users. Please keep in mind that this script is exclusively for scanning applications that are already in production/sandbox/UAT/SIT environments.
How to do it… In this recipe, we will walk you through the process of installing OWASP ZAP in a Jenkins pipeline and setting up the automation for running scans during new code iterations and pushes. In addition, we’ll build ticketing with JIRA into the process to complete the DevOps life cycle: 1. With Jenkins running and Docker installed, open your browser of choice and go to your Jenkins app: http://:8080
235
236
Advanced Adventures with ZAP
Important note Jenkins boot setup runs by default at https://localhost:8080/. Adjust the boot configuration by editing the jenkins.xml file in your installation location. Other boot configuration parameters, such as JVM options, HTTPS configuration, and so on, can also be modified in this file. 2. Log in with the credentials you created when first setting up Jenkins. If you have not completed this step, you will need to enter initialAdminPassword, which is found in the following path: Windows: C:\ProgramData\Jenkins\.jenkins\secrets Linux: /var/lib/jenkins/secrets/ MacOS: /Users/Shared/Jenkins/Home/secrets/ 3. On the home screen, we’ll create a new item, name it ZAP, and select Pipeline, as shown in Figure 11.5:
Figure 11.5 – A new Jenkins item
Utilizing ZAP DAST testing with Jenkins
4. On the next screen, you’ll have several settings or build triggers, but we’ll move past those and go to the Pipeline script (see Figure 11.6).
Figure 11.6 – The Pipeline script
5. We’ll enter the following Groovy script: pipeline { agent any parameters { choice(name: "ZAP_SCAN", choices: ["zap-baseline. py", "zap-full-scan.py"], description: "Parameter to choose type of ZAP scan") string(name: "ENTER_URL", defaultValue: "http://192.168.1.1:3000", trim: true, description: "Parameter for entering a URL to be scanned") } stages { stage('Get Write Access'){ steps { sh "chmod 777 \$(pwd)" } }
237
238
Advanced Adventures with ZAP
stage('Setting up OWASP ZAP docker container') { steps { echo "Starting container --> Start" sh "docker run --rm -v \$(pwd):/zap/wrk/:rw --name owasp -dt owasp/zap2docker-live /bin/bash" } } stage('Run Application Scan') { steps { sh "docker exec owasp ${params.ZAP_SCAN} -t ${params.ENTER_URL} -I -j --auto" } } stage('Stop and Remove Container') { steps { echo "Removing container" sh ''' docker stop owasp ''' } } } } 6. Once you click Save, you are brought to the Stage view screen. This is where you have options to see the status, see the changes, build now, configure, delete the pipeline, see the full stage view, rename your pipeline, and see the pipeline syntax, as shown in Figure 11.7:
Utilizing ZAP DAST testing with Jenkins
Figure 11.7 – Stage View
7. To run the script we just entered, click Build with Parameters. 8. This will kick off the script and run through the steps we entered. You’ll see your new build running in Build History as well as the steps running in Stage View, as shown in Figure 11.8:
Figure 11.8 – The new build
239
240
Advanced Adventures with ZAP
9. You can also click on the number in Build History to go to the build to see more details, such as Console Output, which shows the pipeline executing, the commands, and any errors that may have occurred, as shown in Figure 11.9. Errors will be very obvious, indicated by the red X symbol in Console Output or next to the number in Build History, or will be red at the stage it occurred in Stage View.
Figure 11.9 – Console Output
10. Once the scan completes, you can review the results by clicking on the stage in Stage View and then Logs, as shown in Figure 11.10.
Figure 11.10 – Logs
Utilizing ZAP DAST testing with Jenkins
This view will show you the details of the scan, where you can digest all the findings and see where in the URL these issues occurred (see Figure 11.11).
Figure 11.11 – Stage Logs
A successful build and scan require a lot of trial and error with the pipeline setup, which necessitates reading pipeline errors or commenting out sections in the script.
How it works… The Jenkins pipeline is configured to run OWASP ZAP as a step in the build process. This can be done using a Jenkins plugin or by calling the OWASP ZAP command-line interface (CLI) directly from a Jenkins script. When the pipeline is executed, Jenkins triggers OWASP ZAP to run a security scan against the application being tested. OWASP ZAP will attempt to find any vulnerabilities in the application, such as SQLI flaws or XSS vulnerabilities. OWASP ZAP then generates a report, detailing any vulnerabilities that were found, along with recommendations for how to fix them. This report can be automatically sent to the development team for review. If the security scan identifies any critical vulnerabilities, the Jenkins pipeline can be configured to fail the build, preventing the vulnerable code from being deployed to production. Overall, integrating OWASP ZAP into a Jenkins pipeline helps automate the process of identifying and addressing security vulnerabilities in web applications, making the software development process more efficient and secure.
241
242
Advanced Adventures with ZAP
There’s more… The pipeline script is just an example of a simple way to scan a URL and see the results in the pipeline. With some more work with the script, you can generate reports and get these copied from the Docker container over to a directory of your choice. In addition, this pipeline build we have scripted will also create parameters that allow you to switch between the baseline scan and full scan as well as enter the URL of choice to be scanned, allowing you to build the pipeline quicker on your applications. Important note If, for some reason, your build is not scanning, check to see whether your Docker has stopped the container. If it hasn’t, you will need to do so before running the build again.
See also For more details, see the following when running Docker scans: • For the baseline scan, see https://www.zaproxy.org/docs/docker/baselinescan/ • For the full scan, see https://www.zaproxy.org/docs/docker/full-scan/
Installing, configuring, and running the ZAP GUI OAST server The BOAST server was created to receive and report the results of out-of-band application security testing. Some application security tests only result in out-of-band responses from the applications being examined. Because of the nature of these specific use case scenarios, the requests won’t transmit as a response back to the attacker and won’t be seen when a client is hidden behind a third-party NAT. A different component is then required in order to properly perceive such responses. This component needs the ability to be freely accessed over the internet and communicate the received protocols and ports without being constrained by that third-party NAT. In this recipe, we will walk you through how to install, configure, and test applications that require OOB, using the OWASP ZAP BOAST server, and how to install your own BOAST server for testing.
Getting ready This recipe requires ZAP set up to intercept and send requests and responses between the BOAST server and the client application. The following tools will need to be installed: • Docker: https://www.docker.com/products/docker-desktop/ • GoLang: https://go.dev/doc/install
Installing, configuring, and running the ZAP GUI OAST server
How to do it… In this recipe, we’ll be going through different techniques on how to install, configure, and run your own BOAST services to conduct out-of-band attacks: 1. First, in order to use the OAST server, you’ll need to download the add-on from ZAP Marketplace (see Figure 11.12).
Figure 11.12 – ZAP Marketplace
2. Once installed, go to the Tools menu, and select Options. Then, either go to Tools | Options… | OAST, click on the gear icon in the main toolbar and click OAST, or press Ctrl + Alt + O and then click OAST. 3. To view the OAST options, scroll down the tool Options menu until you see OAST (see Figure 11.13).
Figure 11.13 – OWASP OAST options
243
244
Advanced Adventures with ZAP
4. In the first setting under General, there’s a dropdown to select either BOAST or Interactsh, and a checkbox next to Use Permanent Database. 5. Select BOAST from the dropdown and go to the BOAST tab in the OAST options screen. Permanent Database is optional. By checking Use Permanent Database, you can keep track of registered out-of-band payloads in ZAP’s permanent database. According to the predetermined polling period, the persisted payloads will be placed into memory and queried with other payloads. Currently, only the BOAST service is able to provide a permanent database. Note that this means that alerts may show up during a ZAP session, even if they are not particularly or directly connected to the first analysis or scan. 6. Enter a valid server URI or use the default one. The URI that will be used for registration and polling should be pointed at by this address: https://odiss.eu:1337/events 7. The scheme, the host, the port, and the /events endpoint are all required components of a valid URI. A functional BOAST instance must be running on the host. 8. Select a polling interval. This is the frequency of polling for the registered BOAST servers. Values are taken in seconds. There is no maximum permissible value but a minimum of 10 seconds is required. The 60-second setting is the default. 9. Click on Register and a new entry for the payload and canary will be added to the Active Servers table. Copy this payload to use it in your attacks. When a request is made to the appropriate payload address, a random string known as the Canary value is returned to the destination web application. 10. Next, to test that the BOAST payload is working, open up a command-line terminal and curl the request of the URI given (see Figure 11.4): curl ij6azkfsiavavsmrjqpmj3pq54.odiss.eu
Figure 11.14 – A curl request
Installing, configuring, and running the ZAP GUI OAST server
11. ZAP will now poll this server at the frequency you set and report all interactions (DNS, HTTP, etc.) To view the payload URI, open the OAST tab in the informational window, as shown in Figure 11.5:
Figure 11.15 – BOAST
We can also send some other data via curl to see what is captured in our OAST polling. 12. Here is an example of a curl request that sends a POST request with a simple header and no data: curl -X POST -H "Content-Type: application/json" ij6azkfsiavavsmrjqpmj3pq54.odiss.eu The -X flag specifies the HTTP method to use – in this case, POST. The -H flag is used to set a custom header – in this case, the Content-Type header is set to application/json to indicate that the request body contains JSON data. You can also use --data or -d flag to include a request body in the POST request, for example: curl -X POST -H "Content-Type: application/json" -d '{"key": "value"}' secret.ij6azkfsiavavsmrjqpmj3pq54.odiss.eu This sends a POST request with a JSON-encoded request body containing the {"key": "value"} data, as shown in Figure 11.6:
Figure 11.16 – An example curl request with a secret
245
246
Advanced Adventures with ZAP
How it works… An out-of-band attack occurs when an attacker utilizes a different communication route than the one the victim is using. This makes it simpler for the attacker to access sensitive data or systems, since it enables them to get over any security measures that might be in place on the main communication route. There are several techniques to conduct out-of-band exploits. An attacker may, for instance, send a target a phishing email that tempts them to click on a link that installs malware on their machine. The virus might then be used to access the victim’s machine, giving the attacker access to take advantage of it to disrupt operations or steal important data. Another technique would be for an attacker to utilize a different communication channel to manage malware that has already been placed on a victim’s machine. For instance, the attacker may order the virus to do a certain action, such as deleting files or encrypting data for ransom, through a different channel, such as a phone call or text message. In general, because out-of-band attacks employ a different communication route than the one that is being defended, they can be challenging to identify and stop. People and organizations should be aware of the dangers presented by these assaults and take precautions to protect themselves. This can entail creating secure passwords, setting up security software, keeping it updated, and exercising caution when opening links or downloading things from untrusted sources.
There’s more… These types of flaws are extremely delicate and important to secure for a company, since malicious actors can take advantage of them. They are primarily seen in REST APIs and web applications. Here are a few examples of OOB attacks: • Blind server-side XML/SOAP injection: Similar to SQLI, an attacker sends XML or SOAP requests to a server with the intent of manipulating the server’s behavior, potentially reading or modifying data, executing arbitrary code, or launching other attacks, and the attack is “blind” because the attacker receives no immediate feedback about the success of the attack. • Blind XSS (delayed XSS): A covert and difficult-to-detect assault that allows an attacker to inject malicious code into a website and wait for someone else to initiate the attack by visiting the compromised web page, possibly stealing personal information or seizing control of the victim’s browser. • Host header attack: Manipulation of the host header in an HTTP request to deceive a web server into running malicious code or providing sensitive information, potentially allowing the attacker to take control of the server or reveal sensitive information. • Out-of-Band Remote Code Execution (OOB RCE): An attack that lets an attacker run arbitrary code on a target system by delivering the code and receiving the results over a separate
Installing, configuring, and running the ZAP GUI OAST server
communication channel, possibly revealing sensitive information or allowing the attacker to seize control of the system. • Out-of-Band SQL Injection (OOB SQLI): An SQLI attack in which an attacker executes arbitrary SQL instructions on a target database by leveraging a separate communication channel to send the commands and receive the results, possibly exposing sensitive information or allowing the attacker to gain control of the database. • Email header injection: Injecting harmful code into the headers of an email message in order to manipulate the behavior of the email client or server, perhaps misleading the victim into submitting sensitive information or downloading malware. • Server-Side Request Forgery (SSRF): An attack in which an attacker sends arbitrary requests from a susceptible server to other servers, resources, or services on the network, possibly revealing sensitive information or allowing the attacker to launch more attacks. • XML External Entity (XXE) injection: An attack that uses an XML parser vulnerability to access files or execute arbitrary code on a target system, possibly revealing sensitive information or allowing the attacker to take control of the machine. • OS code injection – OOB: An attack that enables an attacker to execute arbitrary system instructions on a target system by injecting the commands into a susceptible application, possibly exposing sensitive information or granting the attacker control of the system. • XXE – OOB: A version of the XXE attack in which the results of the XXE assault are sent OOB over a different communication route than the one being abused, possibly allowing the attacker to obtain sensitive information or take control of the system without being detected. Important note A new Extender script template called OAST Request Handler.js is introduced to ZAP if the Script Console and GraalVM JavaScript add-ons are both installed. This template can be used to develop a script that executes a command whenever an OOB request is found. This action might be anything, such as running another ZAP script or sending yourself an email.
See also There are a few other online services that allow us to interact with OOB attacks, such as the following: • Free web GUI Interactsh: https://app.interactsh.com/#/ • For ZAP extensions, see https://github.com/zaproxy/zap-extensions
247
Index A Access Control List (ACL) 90 active scan 66-71 AJAX Spider crawling with 58-62 technologies 62, 63 Alerts tab 38 options 38 Asynchronous JavaScript and XML (AJAX)-rich web applications 57 Audit 53 Authorization Schema bypassing 91- 94
B browser proxy, setting up 16-20 brute-force attacks used, for attacking vulnerable password change function within application 214-219 business logic flaws 155 bWAPP 16
Bypassing Authentication testing 79-82
C CA Certificate 20-22 cache-buster header 221 circumvention, of workflows testing 169-171 client-side URL redirect testing 189-194 code injection 133 buffer overflow 137 cross-site scripting (XSS) 137 remote code execution (RCE) 137 SQL injection 137 testing 133-137 command injection 133 testing 137-141 command-line interface (CLI) 241 Commix reference link 142 Content Security Policy (CSP) 118 Continuous Integration/Continuous Delivery (CI/CD) pipeline 228
250
Index
cookie attribute Domain attribute 100 Expires attribute 100 HttpOnly attribute 100 Path attribute 100 SameSite attribute 100 Secure attribute 100 testing 100-103 crawling 51 Crawljax 58 Credentials Transported testing, over Encrypted Channel 82-84 Cross-Origin Resource Sharing (CORS) 122 CSRF 198 phishing 199 testing 194-198 XSS 198 cross-platform package ZAP, installing on 9-11 cross-site request forgery (CSRF) 100 testing 103-106 cross-site scripting (XSS) 233 references 118 cross-site tracing (XST) 122 Custom Vectors window 69 CyberChef reference link 44
D database management systems (DBMS) 132 decode dialog 41-44 default credentials testing 84-87 deserialization 211 Directory Traversal File testing 88-90
Docker installing 11 installing, for MacOS 11 installing, for Windows 11 ZAP API, using via 231-233 Document Object Model (DOM) 62 Domain attribute 100 DOM-based cross-site scripting (DOM XSS) cookies 180 document properties 181 HTML attributes 181 input fields 180 JavaScript variables 181 query strings 180 testing 178-181 double encoding 186 Dynamic Analysis Security Testing (DAST) 71, 235
E encode dialog 41-44 Encrypted Channel Credentials Transported, testing 82-84 Expires attribute 100
F Filter tab 70 forge requests testing, ability to 156-159 FoxyProxy 16 Fuzzer Fuzz Locations tab 45-48 Message Processors tab 49, 50 Options tab 48, 49 used, for fuzzing 44, 45 Fuzz Locations tab 45-48
Index
G
J
garbage collection 214 graphical user interface (GUI) 25 Groovy Server Pages (GSP) reference link 147
Java installing 2-4 Java deserialization attacks performing 211-214 JavaScript execution testing 182-186 JavaScript Object Notation (JSON) 62 Java virtual machine (JVM) 214 Jenkins ZAP DAST testing, utilizing with 235-241 jQuery functions after() 181 append() 181 before() 181 html() 181 prepend() 181 test() 181 JSON Online Token (JWT) 113 JSON Web Token (JWT) 129 working with 208-211
H hash dialog 41-44 History tab 35 options 35 HTML injection phishing 189 SQL injection 189 testing 186, 187 user data, stealing 188 user, redirecting 189 HttpOnly attribute 100 HTTP Parameter Pollution (HPP) reference link 126 testing 123-126 HTTP requests OWASP ZAP API, using via 233 HTTP verb tampering testing 118-122 Hypertext Transfer Protocol (HTTP) 84 Hypertext Transfer Protocol Secure (HTTPS) 84
I Input Vectors 68 Insecure Direct Object References (IDOR) testing 95, 96
K key performance indicator (KPI) report 41
L LDAP Injection attacks reference link 132 Lightweight Directory Access Protocol (LDAP) 132 logout functionality testing 107-111
251
252
Index
M machine-in-the-middle (MiTM) 111 MacOS Docker, installing 11 ZAP, installing on 7-9 menu bar 27 list 27 Message Processors tab 49, 50 Mutillidae 97-99 reference link 97 setup 97
O OAuth 2.0 framework 193 OAuth authentication process authorization server 193 client application 193 resource owner 193 OOB attacks examples 246, 247 open authorization (OAuth) 190 Options tab 48, 49 OWASP Juice Shop setting up 12-14 OWASP Mutillidae 16 OWASP ZAP API using, via HTTP requests 233
P Parameter Digger 221, 225 passive scanning 64, 65 Path attribute 100 path traversal 88 percent-encoding 186
PHP serialization reference link 214 plus (+) symbol 39 options 39, 40 PortSwigger reference link 100 PortSwigger Academy sign up 14, 15 Privilege Escalation testing 91-94 process timing test 159-168 proxy setting up, on browser 16-20 proxy, on browser CA Certificate 20-22
R reflected XSS testing 116, 117 report generating 71-77 Representational State Transfer (RESTful) 233 RFC 9110 reference link 123 round trip time (RTT) 47
S SameSite attribute 100 scope setting, in ZAP 52, 53 Scripts tab 32, 33 options 33 Search tab 36-38 second-order XSS 118
Index
Secure attribute 100 secure socket layer (SSL) 84, 202 serialization 211 serpico reference link 77 server-side request forgery testing 147-153 Server-Side Request Forgery (SSRF) 133, 205
U
server-side template injection testing 142-147 server-side template injection (SSTI) 133 session hijacking reference link 114 testing 111-113 Session Puzzling reference link 111 Sites tab 31, 32 Sites tree 51 source scanning tools download links 71 Spider 53 crawling with 53-57 SQL Injection 126 preventing 126 testing 126-131 SQLMap reference link 132
W
T testing environment OWASP Juice Shop, setting up 12-14 setting up 12 sign up, for PortSwigger Academy 14, 15 Transmission Control Protocol (TCP) 202 Transport Layer Security (TLS) 84
unexpected file types, with malicious payload upload, testing of 172-176 Unicode encoding 186 Uniform Resource Identifier (URI) 191 URL encoding 186
web app active scanning 66-71 passive scanning 64 passive scanning 65 web application firewalls (WAFs) 50 web application firewall (WAF) 66, 122, 152 web cache poisoning 220-225 Web Distributed Authoring and Version (WebDAV) references 123 WebSockets testing 199-202 Wfuzz installation link 66 Windows Docker, installing 11 ZAP, installing on 4-7 WriteHat reference link 77
X XML External Entity (XXE) injection 153, 202, 247 performing 205-207
253
254
Index
XMLHttpRequest (XHR) 62, 122
Z ZAP Active Scan 141 ZAP API using, via Docker 231-233 ZAP DAST testing utilizing, with Jenkins 235-241 ZAP GUI local API using, to scan target 228-230 ZAP GUI OAST server configuring 242-246 installing 242-246 running 242-246 ZAP Proxy footer 40, 41 ZAP Proxy information window 35 Alerts tab 38, 39 History tab 35 plus (+) symbol 39, 40 Search tab 36-38
ZAP Proxy session persisting 26, 27 ZAP Proxy toolbar 28-30 shortcut 31 ZAP Proxy tree window 31 Scripts tab 32, 33 Sites tab 31, 32 ZAP Proxy workspace window 33, 35 Zed Attack Proxy (ZAP) 235 downloading 2 installation link 11 installing, on cross-platform package 9-11 installing, on MacOS 7-9 installing, on Windows 4-7 scope, setting in 52, 53 setup, testing 22, 23
Packtpub.com Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.
Why subscribe? • Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals • Improve your learning with Skill Plans built especially for you • Get a free eBook or video every month • Fully searchable for easy access to vital information • Copy and paste, print, and bookmark content Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at packtpub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at customercare@packtpub. com for more details. At www.packtpub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.
Other Books You May Enjoy If you enjoyed this book, you may be interested in these other books by Packt:
The Ultimate Kali Linux Book, Second Edition Glen D. Singh ISBN: 978-1-80181-893-3 • Explore the fundamentals of ethical hacking • Understand how to install and configure Kali Linux • Perform asset and network discovery techniques • Focus on how to perform vulnerability assessments • Exploit the trust in Active Directory domain services • Perform advanced exploitation with Command and Control (C2) techniques • Implement advanced wireless hacking techniques • Become well-versed with exploiting vulnerable web applications
Other Books You May Enjoy
Nmap Network Exploration and Security Auditing Cookbook, Third Edition Paulino Calderon ISBN: 978-1-83864-935-7 • Scan systems and check for the most common vulnerabilities • Explore the most popular network protocols • Extend existing scripts and write your own scripts and libraries • Identify and scan critical ICS/SCADA systems • Detect misconfigurations in web servers, databases, and mail servers • Understand how to identify common weaknesses in Windows environments • Optimize the performance and improve results of scans
257
258
Packt is searching for authors like you If you’re interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.
Share Your Thoughts Now you’ve finished Zed Attack Proxy Cookbook, we’d love to hear your thoughts! If you purchased the book from Amazon, please click here to go straight to the Amazon review page for this book and share your feedback or leave a review on the site that you purchased it from. Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.
259
Download a free PDF copy of this book Thanks for purchasing this book! Do you like to read on the go but are unable to carry your print books everywhere? Is your eBook purchase not compatible with the device of your choice? Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost. Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application. The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily Follow these simple steps to get the benefits: 1. Scan the QR code or visit the link below
https://packt.link/free-ebook/9781801817332 2. Submit your proof of purchase 3. That’s it! We’ll send your free PDF and other benefits to your email directly